5 minute read
Jo Stewart-Rattray
Director of Technology & Security Assurance for BRM Advisory
Ihead a South Australia based advisory practice, BRM Advisory, focussed on technology and security, but since 2019 I have been on secondment as chief security officer to Silver Chain Group, a provider of in-home health and aged care services with over 100,000 clients across
Western Australia, South Australia, New South Wales,
Victoria and Queensland. and I’m responsible for all things security across the organisation.
I report regularly to the board’s audit & risk committee and I work very closely with the head of risk and assurance to make sure that cyber is captured as part of operational risk, given that it can easily be material in nature.
Silver Chain is big, complex and national. We have nursing stations in some very remote locations in rural, regional and remote Australia. One such nursing station is three hours by boat from the mainland. Connectivity is an issue, to say the very least.
Filling roles in cybersecurity is always a challenge, as is finding the right person for each role, particularly because I want a good cultural fit as well as a strong skill set.
Also, we know that organisations are leaving $$$s on the table by not employing more women across the tech workforce generally, and in security, in particular. According to a Petersen Institute research initiative this amount could be as much as $US12 trillion per annum. So, inequality is costing everyone.
Lack of gender diversity, and of diversity of thinking, will have an impact on capability, without question. However, simply employing more women is not the answer. They must be given the same opportunities at the same rate of pay as their male peers. Inclusion is exceptionally important as part of this journey toward equality.
In circumstances where I need to keep the permanent full- time headcount low I like to use appropriately credentialled and experienced external resources. As I have been in the game long enough I have developed a strong, but small network of trusted advisers who I work with.
I have developed a strong collaboration with my colleagues in Facilities, Risk and Privacy across security and infrastructure, and we work closely on a number of fronts.
We have approximately 2000 staff members permanently on the road using nothing but mobile devices. So the pandemic did not really affect that part of the operation, but we did have a challenge to move our two 24x7x365 call centres off site and into people’s homes!
Technology is essential to what those 2000 mobile staff members do, but it’s not a core part of what they do. So the human factor and education is very important for cybersecurity.
We also need to remember that in organisations where technology is not the core of the business special attention must be given to the human factor and education must be appropriate and delivered using multiple modalities to ensure that we reach everyone.
But it’s not only those field workers who need to be security-conscious. We need to ensure that, from the top of the org chart all the way down, appropriate education and awareness raising activities are in place. This is particularly important given the evolving nature of the threats we face in the cyber world.
It is always the wetware – the human factor that is a continuous component that needs to be addressed.
We’re turning those weak links into human firewalls and we’re seeing the organisation slowly move to a security-first approach. It’s one of most satisfying aspects of my role. I have gained a number of security qualifications in the course of my career. I am a Certified Information Security Auditor, Certified Information Security Manager, certified in the Governance of Enterprise IT, certified in Risk in Information Systems and a Certified Professional (Cyber Security).
I work closely with colleagues from HR, Privacy/ Legal and Risk to build up a holistic approach using a multimodal methodology to deliver cybersecurity training. And of course, let’s not forget the need to include friendly phishing campaigns that have an educational component too. I started my career in infrastructure, became a CIO and then took a decision to move into security. I’d advise anyone embarking on a career in cybersecurity to join a professional body, network, take advantage of professional development opportunities afforded by professional bodies, and get involved with advisory groups and the like to give back to the profession. It has led me to a seat on the board of directors of an international not-for-profit organisation with annual revenues of $US100million, to being involved with a number of publications, to setting standards, developing frameworks and being the volunteer founder of a global women in technology initiative.
Those qualifications were all challenging to obtain, in different ways and for “Lack of gender diversity, and of diversity different reasons. A couple of thinking, will have an impact on of the certifications I was ‘grandfathered’ into, which is a capability, without question. However, recognition of prior learning in simply employing more women is not this part of the world. But as the answer. They must be given the it turned out, with the amount of work required to prove same opportunities at the same rate compliance it would have been of pay as their male peers. Inclusion is just as easy to do the exam! exceptionally important as part of this I don’t see any of those journey toward equality.” qualifications as being a waste of time, and I believe they have enhanced my effectiveness as a security professional. However, I believe career progression is a combination of factors: credentials/ qualifications, experience and your own will to achieve. Having a natural curiosity, willingness to research new methods, and psychology — which I have studied — have also been extremely helpful in informing my practice. Also, I don’t believe you can do this job without continual learning, reading and researching, and keeping abreast of trends locally and across the globe. I spend a lot of time reading white papers, the tech press, talking with compatriots, and keeping abreast of legislative changes.
www.linkedin.com/in/jo-stewart-rattray-cism-cgeitcisa-crisc-cp-4991a12/
twitter.com/jo_sr01
www.youtube.com/results?search_query=Jo+stewart-rattray
